Back to home

Compliance

Last updated: December 17, 2025

Overview

Supalytics is designed to be compliant with major privacy regulations out of the box. Because we don't collect personal data from website visitors, many privacy requirements simply don't apply.

GDPR (European Union)

Status: Compliant

The General Data Protection Regulation applies to the processing of personal data. Supalytics is GDPR compliant because:

What We Do

  • No personal data collection from website visitors
  • No cookies or tracking identifiers stored on visitor devices
  • Daily rotating hashes that cannot identify individuals
  • EU-only data storage (Netherlands & Germany)
  • Data minimization - we collect only what's necessary

What This Means

  • No consent banner required for Supalytics tracking
  • No legal basis needed for visitor data (it's not personal data)
  • No DPA required between you and Supalytics for visitor data
  • No data subject requests apply to visitor data

For Your Account Data

For the personal data we do hold (your email, name):

  • We process it under legitimate interest (providing the service)
  • You can access, correct, or delete your data anytime
  • We respond to data subject requests within 30 days

UK GDPR

Status: Compliant

The UK's implementation of GDPR follows the same principles. Supalytics is compliant for the same reasons as EU GDPR.

PECR (UK)

Status: Compliant

The Privacy and Electronic Communications Regulations require consent for storing information on user devices. Supalytics is compliant because:

  • We don't store any information on user devices
  • No cookies, no localStorage, no fingerprinting
  • The ICO has confirmed that analytics not using device storage don't require consent

ePrivacy Directive (EU)

Status: Compliant

Also known as the "Cookie Law", this directive requires consent for non-essential cookies. Supalytics is compliant because:

  • We don't use cookies at all
  • We don't access any information stored on user devices
  • Our tracking is purely server-side after initial page request

CCPA (California)

Status: Compliant

The California Consumer Privacy Act gives California residents rights over their personal information. Supalytics is compliant because:

  • We don't collect personal information as defined by CCPA
  • We don't sell any data
  • We don't build profiles for cross-context behavioral advertising
  • No "Do Not Sell My Personal Information" link is required for Supalytics data

HIPAA (United States)

Status: No BAA Required

The Health Insurance Portability and Accountability Act protects health information. For Supalytics:

  • We don't collect Protected Health Information (PHI)
  • We don't collect any data that could identify patients
  • No Business Associate Agreement (BAA) is required
  • Healthcare websites can use Supalytics without HIPAA concerns

TTDSG (Germany)

Status: Compliant

The Telecommunications-Telemedia Data Protection Act implements ePrivacy in Germany. Supalytics is compliant because:

  • We don't store information on end-user devices
  • We don't access information stored on end-user devices
  • Our approach aligns with the "strictly necessary" exception interpretation

No. Supalytics doesn't use cookies, so cookie consent requirements don't apply to our tracking.

However, if you use other services that set cookies (advertising, marketing tools, etc.), you'll still need consent for those.

What about "legitimate interest"?

Since we don't process personal data from visitors, the question of legal basis (consent vs. legitimate interest) doesn't apply to Supalytics visitor tracking.

Data Residency

All visitor analytics data is processed and stored in the European Union:

ComponentLocationProvider
Analytics DatabaseFrankfurt, GermanyTinybird
Application ServerAmsterdam, NetherlandsRailway
Application DatabaseAmsterdam, NetherlandsRailway
Frontend/CDNFrankfurt, GermanyVercel

We do not transfer visitor analytics data outside the EU.

Security Certifications

Current

  • TLS/HTTPS encryption for all data in transit
  • AES-256 encryption for data at rest
  • EU-only infrastructure

Planned

  • SOC 2 Type II (planned)
  • ISO 27001 (planned)

Privacy Policy Template

If you'd like to mention Supalytics in your privacy policy, here's a template:

We use Supalytics for website analytics. Supalytics is a privacy-focused analytics service that does not use cookies or collect personal data from visitors. The data collected (page views, referrers, device type, country) is used to understand how our website is used and cannot be used to identify individual visitors. For more information, see Supalytics Privacy Policy.

Questions?

For compliance-related questions, contact us at support@supalytics.co.

We're happy to provide additional documentation or clarification for your legal or compliance team.